Using scans to discover attack surface

So you’ve gotten an instance of intrigue-core up and running using the AMI or Docker guide, but what now!? Give scans a try. Here’s now.

Create a new project, let’s run this one on Mastercard (They run a public bounty on Bugcrowd):

Now, run a “Create Entity” task to create a DnsRecord with the name “mastercard.com”.

This time, however, let’s set our recursive depth to 3. This will tell the system to run all viable tasks when a new entity is created, recursing until we reach our maximum depth:

Hit “Run Task” and you’ll see that our entity was successfully created:

Now, let’s browse to the “Results” tab and get an overview of the “Autoscheduled Tasks” that have been kicked off automatically:

Wow, 83 tasks in just a few seconds! Core is FAST, thanks to Sidekiq and Sequel. Now we can browse over to the “Graph” tab, and get an overview of the entities (nodes) and the tasks (edges) that created them.

Note that the graph is generated every time you load the page, so you will need to refresh a couple times to get the graph to show. You can zoom in and out to get details on the nodes:

Browsing over to the “Dossier”, you can see that there’s some fingerprinting happening on the webservers, based on the page contents. Note that there’s nothing invasive happening here, this is simply just doing page grabs and analyzing the results:

One neat feature is that core actually parses web content – including PDFs and other file formats to pull out metadata. More to come on this!